A number of modules need to be compiled into the
kernel before you begin.
These are,
loop-back device support
CryptoAPI support
A Cypto cipher ( I chose AES )
Crypto device support
Loop crypto device support

2. Load the modules

Load the modules with modprobe,

Code:

modprobe -a cipher-aes cryptoloop

3. Create an empty file

Create an empty file. This file will hold the encrypted
ISO image so it must be larger than the image you wish
to burn.
The following command will create a file 600M in size

Code:

dd if=/dev/urandom of=encrypted.iso bs=1024 count=600000

4. Attach the encrypting loop device to the file.

This is done with the losetup command. Once the loop back
device is attached all data passed to the loop back device
will be encrypted and written to you file.
Attach the loop back device with,

Code:

losetup -e aes /dev/loop0 encrypted.iso

5. Create an iso image.

Just create an iso image in the normal way and write it to a
second file something like this,

Code:

mkisofs -o cdrom.iso /my/secret/data

6. Encrypt the image

This is the simplest part! Just type,

Code:

cat cdrom.iso > /dev/loop0

7. Burn the image to disk

Just use cdrecord in the normal way.

Code:

cdrecord -v speed=8 dev=1,0,0 -data encrypted.iso

Now you have written the encrypted ISO image to a cdrom.
To mount the CDROM simply attach the loop back device to the
CDROM device and then mount the loop back device.

Create an empty file. This file will hold the encrypted
ISO image so it must be larger than the image you wish
to burn.
The following command will create a file 600M in size

Code:

dd if=/dev/zero of=encrypted.iso bs=1024 count=600000

creating a file from /dev/zero isn't really a great idea, you should use /dev/urandom (taken from http://www.kerneli.org/howto/node3.php)_________________If things get any worse, I'm going to have to ask you to stop helping me!!

Since the encrypted iso is exactly the same size as the plaintext iso, you don't have to worry about whether you pack the filesystem with random data. You do have to worry, however, about the fact that an adversary has a good clue as to how much data you are storing. I don't know if this makes an attack easier, though. So it's probably not that big of deal. I use this method for when I want to take an old plaintext cd and turn it into an encrypted cd.

Just a question, but can you mount an encrypted cd on a different system? Do you just mount it like normal and then it asks for a password, or do you need to be on the same system?_________________Erant Semper Spes
(ATROPOS: Dual AMD 2800+ MP, GigaByte 7DPXWD+, 2GB DDR266, MSI TI4800SE, Audigy2, 2X200GB Maxtor 8MB Cache, GENTOO LINUX!)

I had this working perfectly in the latest stable release of the gentoo kernel. I recently decided to try out the gentoo-test-sources (2.4.22r0) though, and it doesn't seem to work so well. The cipher-aes module that we need to modprobe for seems to have been renamed to aes. The cryptoloop module seems to have disappeared altogether.
I don't get an error when I do the line:

Code:

modprobe -a aes cryptoloop

but losetup informs me that the encryption method is unavailable.
Anyone else found and/or licked this problem yet? I haven't been game to try the 2.6 kernel yet, so have absolutely no idea whether it is a problem there or not.

It doesn't matter what system the CD is mounted on.
I have an encrypted dongle I use between machines.

Tom

can you provide some more details on the dongle.. who makes it? how does it work? where can i find more information about it?

i haven't heard about those things before.. so.. it sounds pretty interesting to me._________________"That which is overdesigned, too highly
specific, anticipates outcome; the anicipation of
outcome guatantees, if not failure, the
absence of grace."
- William Gibson, "All Tomorrow's Parties"
----
http://petro.tanreisoftware.com

Can answer my own question now in case anyone else has the same problem. Gave up on kernel 2.4.22 and went straight to 2.6. The following commands allow a cd burnt under kernel 2.4 using the instructions above, to be mounted under 2.6